Advertisement

Privacy by Design Data Exchange Between CSIRTs

  • Erich Schweighofer
  • Vinzenz Heussler
  • Peter Kieseberg
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 10518)

Abstract

Computer Security Incident Response Teams (‘CSIRTs’) may exchange personal data about incidents. A privacy by design solution can ensure the compliance with data protection law and the protection of trade secrets. An information platform of CSIRTs is proposed, where incidents are reported in encoded form. Without knowledge of other personal data, only the quantity, region and industry of the attacks can be read out. Additional data–primarily from own security incidents–can be used to calculate a similarity to other incidents.

Keywords

NIS directive GDPR CSIRTs Information platform Privacy by design 

Notes

Acknowledgments

This work has received funding as part of the project Cyber Incident Situational Awareness (CISA) within the Austrian security research program KIRAS.

References

  1. 1.
    ENISA, Anna, S., Konstantinos, M.: Stocktaking, Analysis and Recommendations on the Protection of CIIs, p. 33 (2016)Google Scholar
  2. 2.
    Kuratorium Sicheres Österreich: KSÖ Rechts- und Technologiedialog – Whitepaper, 2nd ed., p. 20. Vienna (2016)Google Scholar
  3. 3.
    ENISA, Bourgue, R., Budd, J., Homola, J., Wladenko, M., Kulawik, D.: Detect, SHARE, Protect – Solutions for Improving Threat Data Exchange among CERTs, p. 8 (2013)Google Scholar
  4. 4.
    ECJ Judgement Case C-582/14 19 October 2016 (Breyer), ECLI:EU:C:2016:779Google Scholar
  5. 5.
    ECJ, C-582/14, no. 31Google Scholar
  6. 6.
    ECJ, C-582/14, no. 49Google Scholar
  7. 7.
    Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, OJ L 281, pp. 31–50, 23 November 1995Google Scholar
  8. 8.
    Federal Act concerning the Protection of Personal Data (DSG 2000), Federal Law Gazette I No. 165/1999Google Scholar
  9. 9.
    Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), OJ L 119, pp. 1–88, 4 May 2016Google Scholar
  10. 10.
    Directive (EU) 2016/680 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and on the free movement of such data, and repealing Council Framework Decision 2008/977/JHA, OJ L 119, pp. 89–131, 4 May 2016Google Scholar
  11. 11.
    Article 29 Data Protection Working Party and Working Party on Police and Justice: The Future of Privacy – Joint contribution to the Consultation of the European Commission on the legal framework for the fundamental right to protection of personal data. 02356/09/EN, adopted on 01 December 2009Google Scholar
  12. 12.
    ENISA, Danezis, G., Domingo-Ferrer, J., Hansen, M., Hoepman, J., Le Métayer, D., Tirtea, R., Schiffner, S.: Privacy and Data Protection by Design – from policy to engineering, p. iii (2014)Google Scholar
  13. 13.
    Balboni, P., Macenaite, M.: Privacy by design and anonymisation techniques in action: case study of Ma3tch technology. Comput. Law Secur. Rev. 29(4), 330–340 (2013)CrossRefGoogle Scholar
  14. 14.
    Directive (EU) 2016/943 of the European Parliament and of the Council of 8 June 2016 on the protection of undisclosed know-how and business information (trade secrets) against their unlawful acquisition, use and disclosure. OJ L 157, pp. 1–18, 15 June 2016Google Scholar
  15. 15.
    Kalbfus, B.: Die EU-Geschäftsgeheimnis-Richtlinie. Welcher Umsetzungsbedarf besteht in Deutschland? GRUR 2016, pp. 1009–1018 (2016)Google Scholar
  16. 16.
  17. 17.
    EUROPOL: EUROPOL joins forces with EU FIUs to fight terrorist financing and money laundering. https://www.europol.europa.eu/newsroom/news/europol-joins-forces-eu-fius-to-fight-terrorist-financing-and-money-laundering
  18. 18.
    Directive (EU) 2015/849 of the European Parliament and of the Council of 20 May 2015 on the prevention of the use of the financial system for the purposes of money laundering or terrorist financing, amending Regulation (EU) No 648/2012 of the European Parliament and of the Council, and repealing Directive 2005/60/EC of the European Parliament and of the Council and Commission Directive 2006/70/EC, OJ L 141, pp. 73–117, 5 June 2015Google Scholar
  19. 19.
    Kroon, U.: Ma3tch: Privacy AND Knowledge. In: 2013 IEEE International Conference on Big DataGoogle Scholar
  20. 20.
    Schweighofer, E., Böszörmenyi, J.: A review of tools to comply with the proposed 4th EU Anti-Money Laundering Directive In: International Review of Law, Computers & Technology, vol. 29, Special Issue: BILETA 2014, pp. 63–77 (2015)Google Scholar
  21. 21.
    Balboni, P., Macenaite, M.: Privacy by design and anonymisation techniques in action: Case study of Ma3tch technology, pp. 332–333Google Scholar
  22. 22.
    Balboni, P., Macenaite, M.: Privacy by design and anonymisation techniques in action: Case study of Ma3tch technology, p. 334Google Scholar
  23. 23.
    Directive 2002/21/EC of the European Parliament and of the Council of 7 March 2002 on a common regulatory framework for electronic communications networks and services, OJ L 108, pp. 33–50, 24 April 2002Google Scholar
  24. 24.
    Directive 2009/140/EC of the European Parliament and of the Council of 25 November 2009 amending Directives 2002/21/EC on a common regulatory framework for electronic communications networks and services, 2002/19/EC on access to, and interconnection of, electronic communications networks and associated facilities, and 2002/20/EC on the authorisation of electronic communications networks and services, OJ L 337, pp. 37–69, 18 December 2009Google Scholar
  25. 25.
    ENISA, Tofan, D., Moulinos, K., Karsberg, C.: ENISA Impact Evaluation on the Implementation of Article 13a Incident Reporting Scheme within EU, p. 41 (2016)Google Scholar
  26. 26.
    Directive 2013/40/EU of the European Parliament and of the Council of 12 August 2013 on attacks against information systems and replacing Council Framework Decision 2005/222/JHA, OJ L 218, pp. 8–14, 14 August 2013Google Scholar
  27. 27.
    Mell, P., Grance, T.: Use of the common vulnerabilities and exposures (cve) vulnerability naming scheme (No. NIST-SP-800-51). National Inst of Standards and Technology Gaithersburg Md Computer Security Div. (2002)Google Scholar
  28. 28.
    Bhuyan, M.H., Bhattacharyya, D.K., Kalita, J.K.: An empirical evaluation of information metrics for low-rate and high-rate DDoS attack detection. Pattern Recogn. Lett. 51, 1–7 (2015)CrossRefGoogle Scholar
  29. 29.
    Structured Threat Information eXpression (STIX™). https://stixproject.github.io/
  30. 30.
    Barnum, S.: Standardizing cyber threat intelligence information with the Structured Threat Information eXpression (STIX™). MITRE Corporation, 11 (2012)Google Scholar
  31. 31.
    Bertoni, G., Daemen, J., Peeters, M., Van Assche, G.: Keccak specifications. Submission to NIST (Round 2) (2009)Google Scholar
  32. 32.
    Feige, U., Fiat, A., Shamir, A.: Zero-knowledge proofs of identity. J. Cryptology 1(2), 77–94 (1988)MathSciNetCrossRefzbMATHGoogle Scholar
  33. 33.
    D’Amico, A., Whitley, K., Tesone, D., O’Brien, B., Roth, E.: Achieving cyber defense situational awareness: a cognitive task analysis of information assurance analysts. In: Proceedings of the human factors and ergonomics society annual meeting, vol. 49, No. 3, pp. 229–233. SAGE Publications, Sage CA (2005)Google Scholar

Copyright information

© Springer International Publishing AG 2017

Authors and Affiliations

  • Erich Schweighofer
    • 1
  • Vinzenz Heussler
    • 1
  • Peter Kieseberg
    • 2
  1. 1.Centre for Computers and LawUniversity of ViennaViennaAustria
  2. 2.SBA ResearchViennaAustria

Personalised recommendations